MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8734e124450b499a5405dd4b66649e6f26d36a90acdab16edd41eca03fb5294. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8734e124450b499a5405dd4b66649e6f26d36a90acdab16edd41eca03fb5294
SHA3-384 hash: 59623e3a10f621c74cfc05a3ce69c68b1c843f58161d82503ec7703071304195ece605e52c1fccfdbc5c515976fbae1e
SHA1 hash: 16f5f0bac5a0a069cbe6d80a52d3635c30c41253
MD5 hash: 2102d6dbe4270144a034a063f04593d3
humanhash: video-beer-lion-stairway
File name:SecuriteInfo.com.Win64.MalwareX-gen.19549485
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'562'560 bytes
First seen:2025-08-12 12:04:12 UTC
Last seen:2025-08-12 12:19:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7f2b8e732a057a6213dc3fae875c5b9c (8 x LummaStealer, 4 x Rhadamanthys, 2 x DarkCloud)
ssdeep 24576:y4jqcduwlNvFzWI//3YOf4BUGYeXQadyE0j8aBoKj61TtHCmAu+mfTg+Ccx7Alku:icduIzW0YzUKXlS8uj2FCPk7IlklEH
Threatray 360 similar samples on MalwareBazaar
TLSH T149C5AF18E87990D6FCC301B13B699252A4237F7BCE3C69AB50F89B50114ADFD163B52B
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
54
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
9b55f6144b096d141be338f36ad10386818e04ed8166899fbb3de0ac3f53b51c.zip
Verdict:
Malicious activity
Analysis date:
2025-08-12 10:58:35 UTC
Tags:
auto amadey botnet stealer loader rdp lumma telegram vidar stealc gcleaner remote xworm hijackloader autoit purecrypter generic salatstealer crypto-regex
Link:
https://app.any.run/tasks/60a0c327-5648-44b6-af97-9c7b1aeeb82c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/20347/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.19549485.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689b2577fca70bd90e8ee695
Tags:
virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc packed similar-threat
Link:
https://www.filescan.io/uploads/689b2ddb397fd3ce6fa60d69/reports/5197ccc6-dba4-4c37-a2b1-f9ce7c116e31/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/f8734e124450b499a5405dd4b66649e6f26d36a90acdab16edd41eca03fb5294
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6d16e675-15d4-4793-98ca-dc3124798aa6
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f8734e124450b499a5405dd4b66649e6f26d36a90acdab16edd41eca03fb5294
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/2102d6dbe4270144a034a063f04593d3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8734e124450b499a5405dd4b66649e6f26d36a90acdab16edd41eca03fb5294/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/f8734e124450b499a5405dd4b66649e6f26d36a90acdab16edd41eca03fb5294
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-08-12 10:51:33 UTC
File Type:
PE+ (Exe)
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7bzu4esekc2jtjkalxklmzsj43zg2nvjblg2wfxn2qpmua73kkka._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
0c1423ad9a491005c67ee6f8dc523fcd2721496178fb78a3e2fa5936e2801e7f
LummaStealer
35ea5a7eb2953f260503a3bb1178a4c934c1aaa613702e2d072e73ab0b01f15d
LummaStealer
38d9f67afa98d1141e298e7445e2abf2be64deb424c0ca3bf54aa2ff76d31aae
LummaStealer
8939b7f4bead215b815226e74321bbdd2051058b1d80ec70affb8337fda1445d
LummaStealer
a5d1f6f319c01edca36c2c01f5f54ac94fb85d88494aa043b4e426f4a964c849
LummaStealer
b36aadec945e219eb2b54232bc057fff4fb9f5da6229c00f54ba3f1a66876f64
LummaStealer
error
LummaStealer
+ 350 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/250812-n8wg3a1tez/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://vaganetka.ru/opza/api
https://mastwin.in/qsaz/api
https://ordinarniyvrach.ru/xiur/api
https://yamakrug.ru/lzka/api
https://vishneviyjazz.ru/neco/api
https://yrokistorii.ru/uqya/api
https://stolewnica.ru/xjuf/api
https://visokiywkaf.ru/mmtn/api
https://kletkamozga.ru/iwyq/api
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/22e4c7a5-e73e-4a19-b295-b2b158628c95
Unpacked files
SH256 hash:
f8734e124450b499a5405dd4b66649e6f26d36a90acdab16edd41eca03fb5294
MD5 hash:
2102d6dbe4270144a034a063f04593d3
SHA1 hash:
16f5f0bac5a0a069cbe6d80a52d3635c30c41253
Link:
https://www.unpac.me/results/31b35ee5-1be6-4909-a148-c59118ea39cc/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f8734e124450/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8734e124450b499a5405dd4b66649e6f26d36a90acdab16edd41eca03fb5294

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe f8734e124450b499a5405dd4b66649e6f26d36a90acdab16edd41eca03fb5294

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3601322/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/20347/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::CreateWindowExW

Comments